殭屍網路造成的傷害不可忽視，隨著持續多年對殭屍網路的研究，越來越多的殭屍網路檢測系統被推出，然而大多數的系統需要花費大量時間收集資料和偵測，這可能會使得在檢測出結果前就遭到攻擊，因此我們實驗室基於舊有的 BotCluster 系統，開發出了一套能大幅降低偵測時間的殭屍網路系統，Rapid Detection System.
在本文中，我們改善了 Rapid Detection System 對於資料傳輸的方式，舊有的批處理模式對於長時間監控網路環境有其不足之處，我們將以基於 Kafka 的串流系統設計替代舊有的批處理模式來彌補這問題。並且在串流模式下，我們將以Kafka改善Rapid Detection System的特徵更新方式，以解決原本使用HDFS更新特徵所產生的問題。實驗一比較了兩種批處理模式和串流模式所產生的惡意流量結果。實驗二比較了 Kafka 和 HDFS 兩種不同的特徵更新方式所產生的惡意流量結果。實驗三則是經由 BotCluster 來驗證串流模式和批處理模式在特徵更新時的準確性，透過這三場實驗驗證了以串流模式運行系統並以 Kafka 來及時更新特徵對於長時間控網路環境是較為合適的方法。

The harm caused by botnets cannot be ignored. With years of research on botnets,
more and more botnet detection systems have been launched. However, most systems need to spend much time collecting data and detecting, which may lead to attacks before the detection results. Therefore, based on BotCluster system, our laboratory has developed a botnet system, "Rapid Detection System," which can significantly reduce the detection time.
In this paper, we will improve the data transmission method for Rapid Detection System. Original batch mode has shortcomings in monitoring the network environment for a long time. To solve this problem, we will replace batch mode with a streaming system based on Kafka.Moreover, we improve the feature update method of Rapid Detection System by Kafka to solve the problems caused by using HDFS to update features in streaming mode. The first experiment compares the malicious session results produced by two kinds of Batch mode and Streaming mode. The second experiment compares the malicious session results produced by two different feature update methods, Kafka and HDFS. The third experiment is to verify the accuracy of feature update in streaming mode and batch mode through BotCluster. Through these three experiments, it is proved that running the system in Streaming mode and updating features with Kafka is a more appropriate method for monitoring the network environment for a long time.

[1] C.-Y. Wang, C.-L. Ou, Y.-E. Zhang, F.-M. Cho, J.-B. Chang, and C.-K. Shieh, "BotCluster: A Session-based P2P Botnet Clustering System on NetFlow," Computer Networks, Volume 145, 9 November 2018, pp. 175-189.
[2] A Streaming P2P Botnet Quick Detection System based on Group Features of BotCluster http://etds.lib.ncku.edu.tw/etdservice/view_metadata?etdun=U0026-1308201821074200&query_field1=&query_word1=Quick%20Detection
[3] Apache Flink https://flink.apache.org/
[4] Apache ActiveMQ https://activemq.apache.org/
[5] RabbitMQ https://www.rabbitmq.com/
[6] Apache Kafka https://kafka.apache.org/
[7] Apache ZooKeeper https://zookeeper.apache.org/
[8] Ju-Hyeon Moon, Yong-Tae Shin, “A Study of Distributed SDN Controller Based on Apache Kafka”
[9] Francesco Versaci, Luca Pireddu, Gianluigi Zanetti, “Kafka Interfaces for Composable Streaming Genomics Pipelines”
[10] Paul Le Noac’h, Alexandru Costan, Luc Bouge, “A Performance Evaluation of Apache Kafka in Support of Big Data Streaming Applications”